[GH-ISSUE #2030] Panic: "bad character in CAA issuer value" #854

Closed
opened 2026-03-16 00:35:58 +03:00 by kerem · 3 comments
Owner

Originally created by @oherrala on GitHub (Sep 20, 2023).
Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/2030

Running cargo-fuzz in this repo with #2025 PR included there's a crash:

% cargo +nightly fuzz run message

Message { header: Header { id: 12594, message_type: Response, op_code: Query, authoritative: false, truncation: false, recursion_desired: true, recursion_available: false, authentic_data: tr
ue, checking_disabled: false, response_code: Refused, query_count: 0, answer_count: 0, name_server_count: 0, additional_count: 1 }, queries: [], answers: [], name_servers: [], additionals: [
Record { name_labels: Name("."), rr_type: CAA, dns_class: IN, ttl: 3221225472, rdata: Some(CAA(CAA { issuer_critical: false, tag: Issue, value: Issuer(Some(Name("n.t")), [KeyValue { key: "po
", value: "lieyÿÿÿÿÿÿÿÿÿÿcvÀ" }]) })) }], signature: [], edns: None }                                                                                                                         
thread '<unnamed>' panicked at fuzz_targets/message.rs:29:17:                                                                                                                                 
Message failed to deserialize: ProtoError { kind: Msg("bad character in CAA issuer value: '\u{80}'") }

The payload:

Output of `std::fmt::Debug`:

        [49, 50, 129, 101, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 1, 0, 1, 192, 0, 0, 0, 0, 32, 0, 5, 105, 115, 115, 117, 101, 110, 46, 116, 59, 32, 112, 111, 61, 108, 105, 101, 121, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 99, 118, 192]
% hexyl --color never fuzz/artifacts/message/crash-84dfeabab146929ed1b7509e12f55e0dce79ba92
┌────────┬─────────────────────────┬─────────────────────────┬────────┬────────┐
│00000000│ 31 32 81 65 00 00 00 00 ┊ 00 00 00 01 00 01 01 00 │12×e⋄⋄⋄⋄┊⋄⋄⋄•⋄••⋄│
│00000010│ 01 c0 00 00 00 00 20 00 ┊ 05 69 73 73 75 65 6e 2e │•×⋄⋄⋄⋄ ⋄┊•issuen.│
│00000020│ 74 3b 20 70 6f 3d 6c 69 ┊ 65 79 ff ff ff ff ff ff │t; po=li┊ey××××××│
│00000030│ ff ff ff ff 63 76 c0    ┊                         │××××cv× ┊        │
└────────┴─────────────────────────┴─────────────────────────┴────────┴────────┘
Originally created by @oherrala on GitHub (Sep 20, 2023). Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/2030 Running cargo-fuzz in this repo with #2025 PR included there's a crash: ```console % cargo +nightly fuzz run message Message { header: Header { id: 12594, message_type: Response, op_code: Query, authoritative: false, truncation: false, recursion_desired: true, recursion_available: false, authentic_data: tr ue, checking_disabled: false, response_code: Refused, query_count: 0, answer_count: 0, name_server_count: 0, additional_count: 1 }, queries: [], answers: [], name_servers: [], additionals: [ Record { name_labels: Name("."), rr_type: CAA, dns_class: IN, ttl: 3221225472, rdata: Some(CAA(CAA { issuer_critical: false, tag: Issue, value: Issuer(Some(Name("n.t")), [KeyValue { key: "po ", value: "lieyÿÿÿÿÿÿÿÿÿÿcvÀ" }]) })) }], signature: [], edns: None } thread '<unnamed>' panicked at fuzz_targets/message.rs:29:17: Message failed to deserialize: ProtoError { kind: Msg("bad character in CAA issuer value: '\u{80}'") } ``` The payload: ``` Output of `std::fmt::Debug`: [49, 50, 129, 101, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 1, 0, 1, 192, 0, 0, 0, 0, 32, 0, 5, 105, 115, 115, 117, 101, 110, 46, 116, 59, 32, 112, 111, 61, 108, 105, 101, 121, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 99, 118, 192] ``` ``` % hexyl --color never fuzz/artifacts/message/crash-84dfeabab146929ed1b7509e12f55e0dce79ba92 ┌────────┬─────────────────────────┬─────────────────────────┬────────┬────────┐ │00000000│ 31 32 81 65 00 00 00 00 ┊ 00 00 00 01 00 01 01 00 │12×e⋄⋄⋄⋄┊⋄⋄⋄•⋄••⋄│ │00000010│ 01 c0 00 00 00 00 20 00 ┊ 05 69 73 73 75 65 6e 2e │•×⋄⋄⋄⋄ ⋄┊•issuen.│ │00000020│ 74 3b 20 70 6f 3d 6c 69 ┊ 65 79 ff ff ff ff ff ff │t; po=li┊ey××××××│ │00000030│ ff ff ff ff 63 76 c0 ┊ │××××cv× ┊ │ └────────┴─────────────────────────┴─────────────────────────┴────────┴────────┘ ```
kerem closed this issue 2026-03-16 00:36:03 +03:00
Author
Owner

@bluejekyll commented on GitHub (Sep 20, 2023):

I really need to come up with an easier way for us to import fuzz crash reports into the project. On this one, it looks like this might be a test failure? The data appears to fail deserialization due to valid errors in the stream. I thought the fuzzing impl dealt with that. I'll have to take a look.

<!-- gh-comment-id:1727926405 --> @bluejekyll commented on GitHub (Sep 20, 2023): I really need to come up with an easier way for us to import fuzz crash reports into the project. On this one, it looks like this might be a test failure? The data appears to fail deserialization due to valid errors in the stream. I thought the fuzzing impl dealt with that. I'll have to take a look.
Author
Owner

@bluejekyll commented on GitHub (Sep 20, 2023):

Ah, I see, this appears to be a round-tripping issue. I wonder if that's ultimately important or not for us... I'm not sure it's catching what we are most concerned with fuzz, which is bad data coming in off the wire and crashing the deserialization or causing issues at that time. The fuzz target seems to trip up on this round-trip logic often, and I'm not sure if it's an important detail. That is, this is bad data, it shouldn't be valid to construct it...

<!-- gh-comment-id:1727943671 --> @bluejekyll commented on GitHub (Sep 20, 2023): Ah, I see, this appears to be a round-tripping issue. I wonder if that's ultimately important or not for us... I'm not sure it's catching what we are most concerned with fuzz, which is bad data coming in off the wire and crashing the deserialization or causing issues at that time. The fuzz target seems to trip up on this round-trip logic often, and I'm not sure if it's an important detail. That is, this is bad data, it shouldn't be valid to construct it...
Author
Owner

@divergentdave commented on GitHub (Apr 1, 2025):

This was fixed in #2373.

<!-- gh-comment-id:2770020905 --> @divergentdave commented on GitHub (Apr 1, 2025): This was fixed in #2373.
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/hickory-dns#854
No description provided.